authentication – Security requirements for public API keys

I need to provide security requirements for public API keys that will be generated by a web application and then used in automation scripts by clients.

The scripts will be run on the endpoints several times a day via a cronjob.

The risk of a key exposure is very high since whoever steals these scripts, will be able to execute OS commands remotely on the client domains.

I need to prevent this kind of theft risk while keeping the UX as simple as possible.

For now, I’ve prepared the following requirements:

  1. The key will be generated by the web application, after logging in to the application.
  2. IP addresses will be paired with the key so that only the IP that generated the key can use the key.
  3. The key will inherit the permissions on the endpoint of the user who generated it.
  4. The user will select the set of authorised actions allowed by the key- e.g. running actions, downloading reports, etc.
  5. The keys will be strings with 40 random alphanumeric and special characters in size. (minimal size, could be longer than that) or GUIDs.
  6. The API will have a request rate limiting.
  7. Users should be guided not to hardcode the key in the scripts. The scripts should receive them as a parameter from the user.
  8. The keys will be revoked automatically after 30 days.
  9. Admins will be able to revoke the keys manually.
  10. The key will NOT be transferred as a part of the URL, only in a header or the request body.

What do you think about these recommendations?